What does of these errors means?

rulirahm · ‎05-11-2011

Hi, currently, we are using Fortianalyzer-1000B to analyzes and reports on log data from Fortigate 800. We received errors at Alert Message Console' s widget: 1.

" The log disk has not been checked for errors for 57 mounts. You should run ' diag sys file-system fsfix' . If unsuccessful, you can also try running ' diag sys file-system fsrebuild' ."

What if I try to run the ' diag sys file-system fsfix' or ' diag sys file-system fsrebuild' ? Is my FA gonna be just fine? What are the risks if these commands (the command must be running under CLI Console, right?) failed to run? And how long the time will be taken to execute of these commands? (Our FA Harddisk' s size is 916.89GB (Usage: 5.22GB of 916.89GB). 2.

" The configured primary DNS server is not reachable. A valid DNS server is required for resolving IP addresses to hostnames in reports." " The configured secondary DNS server is not reachable. A valid DNS server is required for resolving IP addresses to hostnames in reports."

I' ve tried to use local and supplied DNS (DNS that supplied from our ISP). But we still received the same errors. How to fix it? 3.

" Failed to transfer file 1503:1628870483:104 to FortiAnalyzer: No such file or directory." " The system has deactivated session fail mode" " The system has entered conserve mode" " The system has activated session fail mode" " The system has entered system conserve mode" " The system exited conserve mode"

We received tons of these errors. What does it means and how to fix them?

rulirahm · ‎05-16-2011

I' ve tried the command ' diag sys file-system fsfix' . But there is still no message in the Alert Message Console widget. It' s just same :( When viewing the report of the ' diag sys file-system fsfix' using command ' dia sys file-system fsreport' , and it showing:

FortiAnalyzer-1000B # dia sys file-system fsreport /dev/md0: 9985/122109952 files (7.3% non-contiguous), 5230539/244189966 blocks

Is our FAZ error? About the DNS, I already fixed it. It wasn' t because of the firewall. It was because of another port (System -> Network -> Interface) still ' Bring Up' . And there is still an IP adresses assigned there. Our FAZ just use one port to connect to FG. After I ' Bring Down' the another port, then I was able to ping to our local DNS again. And I was able to view ' Resolve Host Name' (Log & Archive). Yes, I can use the command right now:

FortiAnalyzer-1000B # config system alert-console (alert-console)# set severity-level emergency (alert-console)# end FortiAnalyzer-1000B #

Thank you for the help. Now, my new question. I can configure the LDAP configuration. I can query the LDAP Distinguished Name Query based on Anonymous or Regular server type. Our company uses LDAP server (Domain server). Each user must login to domain server if they want to use their PC. Our domain server running under Windows 2008 server. My main goal is, by configuring the LDAP I can view the ' User' column in Log & Archive based on LDAP server. But it' s not. What for the ' User' column BTW?

rulirahm · ‎05-17-2011

Hi ede_pfau, I' m not sure about:

Please read into the Admin Guide again about the file system choices. In my understanding the ' internal indexed file system' is identical to the ' Local database' . Only recently Fortinet introduced the option to store the data in a SQL database (both internally and externally). This allows a lot more detail in analyzing but it doesn' t run with the ' old' reports - you' ll have to build your reports from scratch. (So I reverted back to the Local DB after trying it out.)

Because, as the Admin guide said (Rev. 5 & 13):

Configuring SQL database storage The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system which is always ready to accept log data, it can also insert the log data into the Structured Query Language (SQL) database for generating reports. Both local and remote SQL database options are supported.

I' m uploaded the pic of the SQL configuration of my FAZ 1000B. I' m asking back this question because of as my previous question (LDAP):

Now, my new question. I can configure the LDAP configuration. I can query the LDAP Distinguished Name Query based on Anonymous or Regular server type. Our company uses LDAP server (Domain server). Each user must login to domain server if they want to use their PC. Our domain server running under Windows 2008 server. My main goal is, by configuring the LDAP I can view the ' User' column in Log & Archive based on LDAP server. But it' s not. What for the ' User' column BTW?

After I read into the Admin Guide again:

LDAP queries are used in FortiAnalyzer reports as an additional filter for the user field, providing a convenient way for filtering log data without having to list the user names manually. For example, you need to create a scope in a report that is restricted to include only log messages whose user= field matches user names retrieved from the networkâ€™s main LDAP server. For more information about LDAP queries in FortiAnalyzer reports, see â€œConfiguring reports from logs in the proprietary indexed file systemâ€ on page 145.

Configuring reports from logs in the proprietary indexed file system If you have disabled SQL database for log storage in System > Config > SQL Database, you must instead configure reports based on logs from the proprietary indexed file system.

I' m sorry for asking you about this question again.

ede_pfau · ‎05-17-2011

I cannot really answer your last post as I cannot see any question there...but I' ll try guessing. I' d use the Fortinet prop database as long as you don' t speak SQL fluently. If you do then go with the SQL database. In the screenshot you posted select " Disabled" to use the prop. DB, and " Local" to use an SQL DB on the local disk. You get the user identification using the FSAE software on your AD controller. It sends back the login credentials to the FGT. Can be downloaded from the Fortinet ftp site. (As this is not my turf that' s more or less all I can contribute to this.)

Ede Kernel panic: Aiee, killing interrupt handler!

rulirahm · ‎05-18-2011

Thanks for the info about FSAE. I' ll study about it.

rulirahm · ‎06-13-2011

Hi ede_pfau, right now, my FAZ received a new error (I attached you the pic). what does of this error means? Oh yes, if you have any link/reference about the errors of FAZ, please let me know. Regards, Ruli

ede_pfau · ‎06-14-2011

I' d think there is an error with one of your VPN IPSec tunnel setups. You can switch to the " raw" display (top right corner) to see more details. Or, if you use v4.2 and higher, just doubleclick one message to see details.

Ede Kernel panic: Aiee, killing interrupt handler!

rulirahm · ‎06-19-2011

Hi ede_pfau, now, my FAZ received a new error again : " Disk has rolled the max number of times. It will not roll logs again until deleting some of the old rolled logs" . It looks like a serious error and I don' t know how to handle it. How to delete some of the old rolled logs? Please help me. The error started since the date June 19, 2011 until now and the error still occurs. I attched you the pic. FYI, our FAZ' s Log File Options is set to Optional: -Log file should not exceed 100 MB -Log file should be rolled Optional even if size is not exceeded Oh yes, why this error occurs? How to prevents it? With this error, are all the reports still continue? The last thing I did are I created many Past Week reports and put them on the dashboard and also I put many Last 24 Hours report and put them on the dashbord too. Maybe by doing created many reports and put them on dashboard causing this error? I' m also often (not very often) trying CLI' s command: -Remove and rebuild the widget reports on the dashboard: diag sys dashboard rebuild-reports -Use this command to send logs received by the FortiAnalyzer unit to the SQL database for generatingreports: execute reset-sqllog-transfer

rulirahm · ‎06-30-2011

Hi, We' ve contacted the technical support from our country about the error of our FAZ 1000-B: " Disk has rolled the max number of times. It will not roll logs again until deleting some of the old rolled logs. (see my previous post above). The support told me that I must format the log disk using command: execute formatlogdisk using cable console and hyperterminal. I did that but the error still occurs. I' ve saved the output of the hyperterminal:

FortiAnalyzer-1000B # execute formatlogdisk This operation will ERASE ALL data on the log disk! The unit will now REBOOT. Do you want to continue? (y/n)y FortiAnalyzer-1000B # The system is going down NOW !! Pausing log daemons... Failed to unmount the storage directory /Storage Failed to unmount the log disk /drive0 Stopping RAID ... Failed to stop RAID Please stand by while rebooting the system. Ã¿Ã¿Ã½Ã½cÃµcÃµ Press the spacebar to pause... KEY MAPPING FOR CONSOLE REDIRECTION: Use the <ESC><0> key sequence for <F10> Use the <ESC><!> key sequence for <F11> Use the <ESC><@> key sequence for <F12> Use the <ESC><Ctrl><M> key sequence for <Ctrl><M> Use the <ESC><Ctrl><H> key sequence for <Ctrl><H> Use the <ESC><Ctrl><I> key sequence for <Ctrl><I> Use the <ESC><Ctrl><J> key sequence for <Ctrl><J> Use the <ESC><X><X> key sequence for <Alt><x>, where x is any letter key, and X is the upper case of that key Use the <ESC><R><ESC><r><ESC><R> key sequence for <Ctrl><Alt><Del> Phoenix ROM BIOS PLUS Version 1.10 2.5.0 F10F11U= Boot Menu F Testing memory. Please wait. 2 = Testing memory. Please wait. One 2.00 GHz Quad-core Processor, Bus Speed: 1333 MHz, L2 Cache: 2x6 MB System0MemoryQSize:o2.0PGB,eSystemBMemoryeSpeed:3667zMHz2 Cache: 2x6 MB System Memory Size: 2.0 GB, System Memory Speed: 667 MHz Dell SAS 6 Host Bus Adapter BIOS MPTBIOS-6.22.03.00 (2008.08.06) Copyright 2000-2008 LSI Corporation. ( 8 tion. Searching for devices at HBA 0... SHBAcIDngLUNrVENDORes PRODUCT0... REVISION CAPACITY --- --- --- -------- ---------------- --------- ---------- 0 0 0 ATA WDC WD1002FBYS-0 0C06 931 GB 0 8 0 DP BACKPLANE 1.05 0 LSILogic SAS1068E-IR 0.25.47.00 NV 2D:09 Dell Inc. MPT boot ROM successfully installed! Remote Access Configuration Utility 1.26 Copyright 2006 Dell Inc. All Rights Reserved Baseboard Management Controller Revision 2.37 Primary Backplane Firmware Revision 1.05 IP Address: 0 . 0 . 0 . 0 Netmask: 0 . 0 . 0 . 0 Pressa<Ctrl-E>0for0Remote Access Setup within 5 sec...... L--- U>>>>>>>>>>>>>.. FortiBootLoader FL1000B (14:26-11.14.2008) Ver:00010010 Serial number:FL-1KB3R09000198 Total RAM: 2043MB Boot up, boot device capacity: 927MB. Press any key to display configuration menu... .................. Reading boot image 2102316 bytes. Initializing FortiAnalyzer... Starting RAID array ... done Formatting log disk ... done Mounting log filesystem ... done Creating swap file ... done. FortiAnalyzer-1000B login: admin Password: Welcome! FortiAnalyzer-1000B #

While waiting the reply email from the support, any suggestion about our FAZ problem? Oh yes, the Device menu also received an error: The system time on this device is not synchronized with this FortiAnalyzer. Any help?

rulirahm · ‎03-20-2012

Hi, I have another question regarding of error/warning message from Event log' s LocalLogs (Log & Archive - Event - LocalLogs) FAZ 1000-B: raid1: raid set md0 active with 1 out of 1 mirrors What does it means?